RFR: 8264774: Implementation of Foreign Function and Memory API (Incubator) [v3]

Maurizio Cimadamore mcimadamore at openjdk.java.net
Thu Apr 29 10:34:53 UTC 2021

On Wed, 28 Apr 2021 23:22:38 GMT, Mandy Chung <mchung at openjdk.org> wrote:

> My statement was overly simplified, sorry. If `handle` is invoked in another module B and invoked by a class in module B, which module (the `lookup`'s module or ) do you expect be the caller to check against for native access check? `CLinker::downcallHandle` is not caller-sensitive but its implementation is.
> The method handle of a caller-sensitive method behaves as if it were called from an instruction contained in the lookup class [1].

I think I expect that, with caller sensitive, it is possible from a client in an "enabled" module to obtain a MethodHandle, and then pass it to an unprivileged module, which then calls it, and works ok. This matches my expectation (this trick could be used also to give a client access to an otherwise inaccessible - in the classic sense - method).

So, when working with method handles, I'm completely fine working with the lookup class as context (and not with the real caller class). 

Given all this, do you agree that current checks are not affected by interface-ness of some of the methods involved?


PR: https://git.openjdk.java.net/jdk/pull/3699

More information about the core-libs-dev mailing list